major milestone document establishing the President’s intent to secure the national infrastructure

What does NIAC stand for?

National Infrastructure Advisory Council

What does NSTAC stand for?

National Security Telecommunications Advisory Committee

What does EO 13231 require?

that the responsible personnel oversee, develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control

Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.

What is the ISSEP definition of confidentiality?

Assurance that information is not disclosed to unauthorized individuals, processes, or devices.

What is the ISSEP definition of access control?

Limiting access to information system resources only to authorized users, programs, processes, or other systems.

What is the ISSEP definition of authentication?

Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

What is the ISSEP definition of non–repudiation?

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.

What is a National Security System?

A system that: Involves intelligence activities Involves ctryptologic activities related to national security Involves command and control of military forces Involves equipment that is an integral part of a weapon or weapons system Is critical to the direct fulfillment of military or intelligence missions

According to NIST, what are the phases of the Systems Development Life Cycle (SDLC)?

Executive Office given statutory authority to issue E.O., proclamations, PDD/HSPD, and similar documents that initiate action, stop action, or require general notice be given.

What is the organizational role and authority of The US Congress?

Legislative body responsible for the USC and the general, permanent laws of the nation that it contains. Congress’s power to authorize the appropriation of federal spending to carry out government activities.

Has responsibility for ensuring that all cryptographic methods and systems used to protect USFG information and systems are sufficiently strong; for penetrating adversary systems and codes; and to ensure that all national security information is protected appropriately whether in transit or at rest

What is the organizational role and authority of NIST?

Has responsibility to ensure that standards and measures are developed to improve performance, and charged by law with responsibility for information security standards, metrics, tests, and various other means to support agencies' missions. Issues SP, FIPS, ITL Bulletins, NISTIR, and other guidance.

What is the organizational role and authority of NIAP?

NIAP is an initiative partnership between the NIST and the NSA to evaluate and attempt to meet the needs and requirements of IT/IA product producers and consumers to evaluate functionality and pedigree.

What does OMB stand for?

Office of Management and Budget

What does NIST stand for?

National Institute of Standards and Technology

What does NIAP stand for?

National Information Assurance Partnership

What is the organizational role and authority of CNSS?

Formerly know as NSTISSC, the CNSS provides a participative forum to examine national policy and promulgates direction, operational procedures and instructions (CNSSI), and other forms of authoritative guidance for national security systems.

What is the significance of EO 13228?

Establishing the Office of Homeland Security and the HS Council (2001) – Initiates a comprehensive strategy to secure the US from terrorist attacks.

What is the significance of EO 13231?

CIP in the Information Age (2001) ~ which states policy to protect CI against compromise. Renamed NSTISSC to CNSS.

What is the significance of HSPD–7?

Homeland Security Directive 7 (2003) ~ which directs the identification and prioritization of CI assets and key resources to protect them from terrorist attacks. Supersedes PDD–63.

What is the significance of HSPD–12?

Homeland Security Directive 12 (2004) ~ which directs a common identification standard that is “secure and reliable” to verify employee identity.

~ Balance the government’s need to maintain information about individuals with the rights of individuals ~ Act focuses on four basic policy objectives – Restrict disclosure – Increased rights of access to agency records – Grant individuals the right to seek amendment – Establish a code of “fair information practices”

What is the significance of the Clinger–Cohen Act of 1996?

Established that every federal agency must have a CIO Reformed Information Technology Management Defined a National Security System

What is the significance of OMB Circular A–130 Appendix III, 24 DEC 1985?

Management of Federal Information Resources Mandatory implementation of Computer Security Act and FISMA requirements Defines adequate security ~Provides specific practices and guidelines for implementation of the Paperwork Reduction Act –Established a mandate for agencies to perform their information resources management in an effective manner ~Requires accreditation of federal IS’ to operate based on an assessment on management, operational, and technical controls

What is the definition of adequate security (according to OMB Circular A–130)?

“security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost–effective management, personnel, operational, and technical controls.”

Privacy Policies and Data Collection on Fed. Websites A continuation and update of M–99–18 to add the mention of “cookies” and their impact, and to add as mandatory compliance with the Children’s Online Privacy Act (COPA–98) (2000).

Mandatory Procedures for Major Defense Acquisition Programs (MDAPS) & Major Automated Information System (MAIS) Acquisition Programs (2001) This has been superseded effective December 2008, and replaced by DoDI 5000.02., which also cancels DoDI 5000.2 (2003) It called for consideration of risks and IA functions, capabilities, and features to be given consideration in the acquisition process of COTS and GOTS products.

NSTISSC was established by NSDD 42a (1990) in order to implement provisions and requirements of NSDD 42, renamed to CNSS by EO 13231 in 2001, in order to: ~ Considers technical matters and develop operating policies, procedures, guidelines, instructions, and standards; ~ Assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems; ~ Review and approve all standards, techniques, systems, and equipment related to the security of national security systems, and, ~ To examine U.S. national security systems and evaluate their vulnerability to foreign interception and exploitation, and oversee mitigating action.

Issued 1994, Established the requirement for all Federal agencies operating NSS to have a C&A program; implemented through NSTISSI 1000.

Describe NSTISSP 7

Issued 1995, Specified functional, management, and technical requirements to produce a secure electronic messaging system for conduct of official business: Additional guidance issued to implement by Y2000 To be government–wide interoperable across all NSS Required this to be accomplished through common standards and procedures

Describe NSTISSP 11

Issued 2003, States policy that IA shall be done through COTS and GOTS products, and that such products are to be evaluated through CC processes: ~ Must achieve more than simply confidentiality; ~ COTS/GOTS should be used as more readily available; ~ IA achievement must evolve beyond traditional view; ~ OCONUS CC partner evals for EAL 1–4 accepted w/o NIAP ~ NIAP required as well for EAL 5–7 product requirements Exceptions allowed: ~ Any COTS/GOTS acquired prior to policy effective date; ~ Recognition of the complexities of technology and evaluation process

Issued 1984, Protection of USFG contractor communications. In essence enforces the requirement for contractors to protect their communications (contract related) to the same level as the agency, and then charge that agency for the cost of meeting those requirements.

Describe NSTISSI 7003

Issued 1994, Protected distribution systems. This refers to systems that are used to transmit unencrypted traffic (NSI) through lower–cleared areas, and how, when, and where they can be used.

Describe NSTISSI 1000

Issued 2000, Establishes minimum national standards for C&A processes, and provides guidance on how to implement NSTISSP 6. Describes the NIACAP

Describe NSTISSAM CompuSec 1–98

Issued 1998, Describes the role of firewalls and other enclave boundary protections IAW with Defense in Depth principles. Names firewall types: packet, proxy, and hybrid of these.

Describe NSTISSAM CompuSec 1–99

Issued 1999,Describes the decision to transition from TCSEC to CC, recognition of technology advances and evaluation independence needs.

Describe NSTISSAM InfoSec 1–00

Issued 2000, States that the policy shall be that all applications or devices processing as Unclassified NSS that use crypto must use a form validated against FIPS 140 or the CC.

Describe NSTISSAM InfoSec 2–00

Issued 2000, Describes the policy and a strategy for using the NIAP to evaluate COTS using commercial labs. All units evaluated must be reviewed by NIAP for compliance with the CC, and a separate NIAP evaluation is optional.

Describe CNSSAM 1–04

Issued 2004, Provides guidance to all agencies that a multilayer/multivendor approach to IA architecture is desirable, as long as the overall architecture and engineering is performed in a sound and well–executed manner (to ensure optimal integration and interoperability).

Engineering Principles for IT Security, Baseline Provides a listing of engineering principles (33) to be used to achieve appropriate levels of InfoSec Tied very closely to the principles stated in 800–12 and 800–14 Specifies a five phase model for employing these principles: ~ Initiation ~ Development/Acquisition ~ Implementation ~ O&M Phase ~ Disposal

Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans Provides guidance for agencies to consistently map impact levels to information types and sensitivities and provide methods for evaluating the effectiveness of deployed controls in IT systems. Applicable to all Federal AIS other than NSS Operating as intended Implemented Effectively Providing desired outcome

NIST SP 800–54

Border Gateway Protocol Security

NIST SP 800–59

Guideline for Identifying an Information System as a National Security System (NSS)

Standards for Security Categorization of Federal Information and Information Systems Establishes standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels and potential impacts using this general formula: AIS Impact levels (using a H, M, L scale): SC (AIS) = {(Conf,impact),(Integ,impact)(Avail,impact) Result is system high, Moderate or Low. Using NIST 800–53 provides system Control Baseline

What are the FIPS 199 impact levels?

Low Moderate High

What document(s) is/are used to categorize systems for FISMA?

FIPS 199

What document(s) is/are used to provide mapping guidelines recommending the types of information and information systems to be included in each category described in FIPS 199?

NIST SP 800–60

What document(s) is/are used to develop minimum information security requirements (i.e., management, operational, and technical security controls) for information and information systems in each category?

NISP SP 800–53 and FIPS 200

FIPS 200

Minimum Security Requirements for Federal Information and Information Systems Specifies minimum security requirements in 17 areas that are to be met using controls outlined in SP800–53. These are mandatory. No provision for waivers is made. Complements FIPS 199

What document(s) is/are used to define how C&A is performed under FISMA?

DES is permitted on legacy AIS only – and thus is still relevant to the ISSEP

FIPS 81

Triple DES is a FIPS approved algorithm of choice. Encourages transition to TDES as rapidly as prudent strategy and budgets permit

FIPS 140

Establishes requirements that must be met by modules to be used or considered for use in SBU systems, including voice systems. Describes a hierarchical system of increasing levels; Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact

Specifies that AES is a FIPS approved algorithm of choice. For use on SBU, but not classified information and AIS. Has a waiver procedure that allows relief in the event that a) adverse mission impact or b) financial impact [For classified and financial data must use Type 1 crypto (AES 256 or better)

FIPS 199 low impact characteristics?

limited adverse effect

FIPS 199 moderate impact characteristics?

serious adverse effect

FIPS 199 high impact characteristics?

sever or catastrophic adverse effect; threat to human life, or result in loss of major assets

What key components are considered with each level of impact in FIPS 199?

Guidelines for the Security C & A of Federal Information Systems (2004) ~ Issued by NIST under the authority of FISMA– 2002, and is consistent with OMB A–130. ~ Establishes guidelines (including tasks and subtasks) to certify and accredit information systems supporting the executive branch of the federal government ~ Applicable to non–national security information systems as defined in the FISMA of 2002 ~ Replaces FIPS Publication 102 (withdrawn 2005)

ISO/IEC 15408 Rainbow series was too rigid and did not take many things into account and expensive evaluations ITSEC provided more flexibility, but added more complexity with its attempts Made up from: ~ TCSEC ~ ITSEC ~ Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) ~ Federal Criteria from US, UK, Germany, France, Canada

1. Evaluate the conditions between the evaluated product and the present situation. 2. Evaluate the differences of the conditions for regression and/or independent testing. 3. Determine if additional security requirements are required for the present situation. 4. Analyze the security impact of the interfaces. 5. Performed the testing and/or analysis.

What is the intended scope/application of the Common Criteria?

A paradigm used to specify security properties of IT products and systems that address ~ unauthorized disclosure (confidentiality, privacy) ~ unauthorized modification (integrity) ~ loss of use (availability) The basis for comparison of the results of independent evaluations Applicable to IT security functions implemented by hardware, software, and firmware

How do consumers use the Common Criteria?

They need to document user requirements in the protection profile ~ Part I: structure for PP ~ Part II & III: guidance for formulating and determining reqs

~ Answers the question: “What do I need in a security solution?” ~ Implementation independent for a class of products or systems ~ Protection Profile authors: anyone who wants to state IT security needs (e.g., commercial consumer, consumer groups) anyone who supplies products which support IT security needs…..anyone. PP makes a statement of implementation independent security needs ~ a generic OS with DAC, Audit, and I&A

Security Environment defined with consideration to the: ~ Purpose and function of the TOE ~ Environment in which the TOE operates (IT & Non–IT) –IT Environment – Security services or capabilities provided by IT systems or products that are not part of the TOE –Non–IT Environment – Security implemented by personnel ~ Assets to be protected Assumptions ~ The security aspects of the environment in which the TOE will be used or is intended to be used. Threats ~ The ability to exploit a vulnerability by a threat agent. Organizational Security Policies (OSPs) ~ A set of rules, procedures, practices, or guidelines imposed by an organization upon its operations.

What is the Common Criteria security objectives?

Objectives establish the basis for the selection of security requirements (functional & assurance) Objective are completely based upon the statement of the Security Environment Objectives ~ Support Assumptions ~ Counter Threats (eliminate, minimize, monitor) ~ Enforce OSPs Objectives are the “focal point” of the PP/ST

What are Common Criteria security functional requirements?

Levied upon functions of the TOE that support IT security; their behavior can generally be observed

According to NIST 800–37, what is role of the Senior Agency Information Security Officer?

~ Carrying out the Chief Information Officer responsibilities under FISMA. ~ Possessing professional qualifications, including training and experience, required to administer the information security program functions; ~ Primary duty Information System Security. ~ Heading an office with the mission & resources. ~ Serve as the authorizing official's designated representative. ~ Serves as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

According to NIST 800–37, what is role of the Information System Owner?

~ Represents the interests of the user community ~ Prepares security plan and conducts risk assessment ~ Informs agency officials of the need for security certification and accreditation of the information system; ensures appropriate resources are available ~ Provides the necessary system–related documentation to the certification agent ~ Prepares plan of action (and milestones) to reduce or eliminate vulnerabilities in the information system ~ Assembles final security certification package; submits to authorizing official

According to NIST 800–37, what is role of the Information System Security Officer?

~ Serves as principal staff advisor to the system owner on all matters involving the security of the information system ~ Manages the security aspects of the information system and, in some cases, oversees the day–to–day security operations of the system ~ Assists the system owner in: – Developing and enforcing security policies for the information system – Assembling the security certification package – Managing and controlling changes to the information system and assessing the security impacts of those changes

According to NIST 800–37, what is role of the Certification Agent?

~ Provides an independent assessment of the security plan ~ Evaluates the security controls in the information system to determine: – The effectiveness of those controls in a particular environment of operation – The vulnerabilities in the system after the implementation of such controls ~ Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

According to NIST 800–37, what is role of the User Representative?

~ Represents the operational interests and mission needs of the user community ~ Identifies mission and operational requirements ~ Serves as the liaison for user community throughout the life cycle of the information system ~ Assists in the security certification and accreditation process, when needed

According to the IATF, how is IA implemented in the system life cycle?

System Life Cycle is a process by which systems are developed, from pre–concept to deployment and disposal IA objectives are to achieve levels of confidentiality, integrity and availability commensurate with the type and value of data, mission requirements, support organization, etc. The processes: ~ Generally Accepted System Security Principles (GASSP) ~ Security in the System Life Cycle (SLC) ~ Common IT Security Practices ~ NIST Engineering Principles ~ ISSE, CMM, and IATF

List the first 7 NIST Engineering Principles

1. Establish a sound security policy as the “foundation” for design 2. Treat security as an integral part of the overall design 3. Clearly delineate the physical and logical security boundaries governed by associated security policies 4. Reduce risk to an acceptable level 5. Assume that external systems are insecure 6. Identify potential trade–offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness 7. Ensure no single point of vulnerability

List NIST engineering principles 8 –14

8. Implement tailored system security measures to meet organizational security goals 9. Strive for simplicity 10.Design and operate an IT system to limit vulnerability and to be resilient in response 11.Minimize the system elements to be trusted 12.Implement security through a combination of measures distributed physically and logically 13.Provide assurance that the system is, and continues to be, resilient in the face of expected threats 14.Limit or contain vulnerabilities

21.Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process 22.Authenticate users and processes to ensure appropriate access control decisions both within and across domains 23.Use unique identities to ensure accountability 24.Implement least privilege 25.Do not implement unnecessary security mechanisms 26.Protect data during all the transaction’s phases 27.Strive for operational ease of use

List NIST engineering principles 28–33

28.Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability 29.Consider custom products to achieve adequate security 30.Ensure security in the shutdown or disposal of a system 31.Protect against all likely classes of “attacks” 32.Identify and prevent common errors and vulnerabilities 33.Ensure that developers are trained to develop secure software

Provides an integrated process (involving technical and non–technical aspects) for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organization’s mission. It defines the requirements for the TCB hardware, software, and firmware, and applies the processes to achieve a layered protection architectural strategy known as “Defense in Depth”, to defend the: ~ Computing Environment ~ Enclave Boundary ~ Network and Infrastructure ~ Supporting Infrastructures

What 3 areas does the IATF technical process focus on?

~ People – those authorized to perform to work ~ Technology – the tools and technologies used ~ Operations – the processes and activities

What is the goal of IATF?

“Defense in Depth” implementation

What are the principles of defense in depth?

Defense in multiple places: to protect against internal and external threats Layered defenses: to ensure adversaries must negotiate multiple impediments to gain access and achieve attack goals Security robustness: the assurance and relative strength of the security component against anticipated threats Deploy KMI/PKI: deployment of robust key management infrastructures and PKI technologies Deploy intrusion detection systems: use of IDS and similar technologies to detect intrusions, evaluate information and results, and take or support taking action.

An “Information System”: ~ Also referred to as: Automated Information System (AIS), Information Technology System ~ “Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”

What is the IATF definition of a security engineer?

“A Security Engineer, through engineering discipline and process, helps build dependable systems in the face of malice, error, or mischance.” “As a discipline, it focuses on tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.”

What is the IATF definition of a threat?

The likelihood that the impact of an unwanted incident will be realized

What is the IATF definition of a vulnerability?

An inherent or intrinsic flaw or weakness in a system, its subsets, or components (hardware, software, or firmware) that can be exploited by a threat

What is the IATF definition of impact?

An adverse operational impairment or loss caused by the materialization of a threat

What is the IATF definition of risk?

The quantification of a) probability that a threat will materialize and cause impact, or b) the estimate of potential financial loss (exposure) an organizational unit might experience in a scenario

What is the IATF definition of trust?

~ All protection mechanisms work cohesively to process sensitive data for all authorized users and maintain the required level of protection ~ Consistent enforcement of policy through all states

What is the IATF definition of assurance?

~ Degree of confidence that the system will act in a correct and predictable manner in all possible computing situations ~ Known inputs produce expected results through all states

What is the engineering definition of a system?

a combination of elements designed to function as a unit to perform a function

What is the engineering definition of a structure?

formulation of systems or processes to perform a function or achieve an objective

What is the engineering definition of a function?

a description of work that a system must perform to meet customer requirements

Phase 1 (Initiation) – Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)

What are the risk management actions of Phase 2 of the SLC?

Phase 2 (Development/Acquisition) – The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development

What are the risk management actions of Phase 3 of the SLC?

Phase 3 (Implementation) – The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation

What are the risk management actions of Phase 4 of the SLC?

Phase 4 (Operation/Maintenance) – Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (i.e., new system interfaces)

What are the risk management actions of Phase 5 of the SLC?

Phase 5 (Disposal) – Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner

What are the inputs to step 1 of the SP 800–30 Risk Assessment Activities?

What are the inputs to step 7 of the SP 800–30 Risk Assessment Activities?

~ Likelihood of threat exploitation ~ Magnitude of impact ~Adequacy of planned or current controls

What are the outputs to step 1 of the SP 800–30 Risk Assessment Activities?

~ System boundary ~ System functions ~ System and data criticality ~ System and data sensitivity

What are the outputs to step 2 of the SP 800–30 Risk Assessment Activities?

~ Threat statement

What are the outputs to step 3 of the SP 800–30 Risk Assessment Activities?

~ List of potential vulnerabilities

What are the outputs to step 4 of the SP 800–30 Risk Assessment Activities?

~ List of current and planned controls

What are the outputs to step 5 of the SP 800–30 Risk Assessment Activities?

Likelihood rating

What are the outputs to step 6 of the SP 800–30 Risk Assessment Activities?

Impact rating

What are the outputs to step 7 of the SP 800–30 Risk Assessment Activities?

Risks and associated risk levels

What are the outputs to step 8 of the SP 800–30 Risk Assessment Activities?

Recommended controls

What are the outputs to step 9 of the SP 800–30 Risk Assessment Activities?

Risk Assessment Report

What is the DoD 500.2–R definition of Systems Engineering?

The systems engineering process shall: ~ Transform approved operational requirements into an integrated system design solution through concurrent consideration of all life–cycle needs ~ Ensure the integration of all operational, functional, and physical interfaces, and that system definition and design reflect the requirements for all system elements ~ Characterize and manage technical risks ~ Apply engineering principles to identify security vulnerabilities and contain information assurance as well as enforce protection risks associated with these vulnerabilities

What is security engineering?

It is the application of traditional systems engineering processes to the specific problems and issues regarding assurance and security of systems and information.

1. Development: the initial phases of planning and executing system definition tasks required to meet the evolving customer need 2. Manufacturing: the activities necessary to produce models and prototypes to demonstrate the planned design functionality 3. Test: performance validation of prototype or the pre–commission version of the produced solution to measure customer satisfaction 4. Distribution: delivery and commissioning of the produced solution in the planned operational environment(s) 5. Operations: the produced solution performing as intended/expected 6. Support: sustaining maintenance of the produced solution 7. Training: all tasks, tools, and technologies employed to prepare and sustain human knowledge and proficiency in the produced solution 8. Disposal: the disposal, retirement, or recycling of the original produced solution in a secure and environmental sound manner

What is the goal of activity 1 of the IATF ISSE process?

Discover Information Protection Needs Ascertain why the system needs to be built – what needs the system must fulfill.

What is the goal of activity 2 of the IATF ISSE process?

Define System Security Requirements Define the system in terms of what the system needs to be able to do.

What is the goal of activity 3 of the IATF ISSE process?

Define System Security Architecture Use previously documented information to choose the types of security components that will perform specific security function. This process is the core of designing the security architecture.

What is the goal of activity 4 of the IATF ISSE process?

Develop Detailed Security Design Based on the security architecture, begin to design the system to be able to do what it needs to.

What is the goal of activity 5 of the IATF ISSE process?

Implement System Security Build/Implement the system so it does what it is suppose to do.

What is the goal of activity 6 of the IATF ISSE process?

Assess Security Protection Effectiveness Assess the degree to which the system, as it is defined, designed, and implemented, meets the needs. This assessment activity occurs during and with all the other activities in the ISSE process.

What is the goal of activity 7 & 8 of the IATF ISSE process?

Plan and Manage Technical Effort ~ Planning the technical effort occurs throughout the ISSE process. ~ ISSE must review each of the following areas to scope support to the customer in conjunction with the other activities. ~ Requires a unique skill set, and is likely to be assigned to senior–level personnel.

The need for a system is expressed and the purpose of the system is documented: ~ Discover information protection needs ~ Define system security requirements ~ Categorize/characterize the system (as intended in final form) ~ Conduct a Sensitivity Assessment ~ Prepare a Security Plan (initial very general working plan) ~ Initiate Risk Assessment activities All items are documented and become part of the system history and build baseline documentation.

What tasks must the ISSE complete while Discovering Information Protection Needs?

~ Develop an understanding of the customer’s mission or business ~ Help the customer determine what information management is needed to support the mission or business ~ Create a model of that information management, with customer concurrence ~ Document the results as the basis for defining information systems that will satisfy the customer’s needs

What are the key documents/components produced when discovering information protection needs?

The system is designed, purchased, programmed, developed, or otherwise constructed ~ Design system security architecture ~ Develop detailed security design ~ Incorporate Security Requirements Into Specifications ~ Make–Buy decisions are made: – Procurement (component or turn–key) – Program – Build All items are documented and become part of the system history and build baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.

What tasks must the ISSE complete while defining system security requirements?

The ISSEP defines a solution set that satisfies the information protection needs of the IPP A solution set consists of: ~ The System Context ~ A Concept of Operations (CONOPS) ~ The System Requirements

What are the ISSE duties during the Implementation phase?

The system is tested and installed or fielded ~ Install and configure selected controls and countermeasures ~ Enable and test all controls required in the design documentation ~ Verification and validation of controls functionality ~ Security Testing All items are documented and become part of the system history and build baseline documentation. Previously recorded items are refined, updated or replaced as required to ensure accuracy. ~ Design system security architecture

What tasks must the ISSE complete while designing system security architecture?

~ Design must satisfy customer–specified design constraints and the security requirements ~ Design should project the schedule and cost of long–lead items and life–cycle support ~ Design should be under configuration control ~ Design should include a revised security CONOPS ~ Trade–offs must consider priorities, cost, schedule, performance, and residual security risks ~ Failures to satisfy security requirements must be reported to C&A authorities

What tasks must the ISSE complete when developing a detailed security design?

The system is being modified by the addition or removal of components, features, or changes in them: ~ Security Operations and Administration ~ Operational Assurance and measurement ~ Audits and Monitoring and subsequent corrective actions ~ Assessment of controls effectiveness ~ Configuration and change management All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.

~ Participation in the testing of protection mechanisms and functions ~ Verification that the system implementation does protect against the threats identified in the original threat assessment ~ Application information protection assurance mechanisms related to system implementation and testing practices ~ Continuing risk management ~ Supporting the C&A processes

What tasks must the ISSE complete during the disposal phase?

This involves the final disposition of data, hardware, and software ~ Information archiving ~ Data transferral to new operational environment ~ Media Sanitization ~ Retirement or destruction ~ Recycling All items are documented and become part of the system history and operational baseline documentation. Previously recorded items are updated or replaced as required to ensure accuracy.

Why use the CMM approach?

Accepted way of defining practices and improving capability Increasing use in acquisition as an indicator of capability ROI for software indicates success

~ Passive attacks can result in the disclosure of data to an attacker without the knowledge of the user ~ Active attacks include attempts to circumvent protection features to execute a deliberate attack ~ Close–in attacks occur when an attacker is in physical close proximity to resources to launch an attack ~ Insider attacks can be malicious or non–malicious: – Malicious insiders intend to deliberately attack an asset – Non–malicious attacks typically result from lack of knowledge ~ Distribution attacks focus on the malicious modification of resources during production or distribution

To achieve more secure information systems within the federal government by: ~ Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems ~ Promoting a better understanding of agency–related mission risks resulting from the operation of information systems ~ Creating more complete, reliable, and trustworthy information for authorizing officials in order to facilitate more informed accreditation decisions

What is the NSTISSI 4009 definition of Certification?

“The comprehensive evaluation of the technical and non–technical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a specified set of security requirements.”

What are the characteristics of certification?

Formal process for testing systems against a set of security requirements Performed by an independent reviewer instead of someone who was involved with building or operating the system The amount of rigor employed may vary depending on the system level or operational context.

What is accreditation?

The decision given by the designated senior agency official to authorize operation of an information system: ~ In a particular security mode ~ Using a prescribed set of controls ~ Against a defined threat ~ At an acceptable level of risk ~ For a specific period of time The official explicitly accepts the risk to agency assets based on the implementation of these security conditions. [remember the phrase "and the nation"]

What is the NSTISSI 4009 definition of Accreditation?

“A formal declaration by the DAA that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards.”

What are the significant benefits of C&A?

More consistent, comparable, and repeatable security evaluations More complete, reliable technical information for information system accreditation authorities, leading to better understanding of complex systems and associated risks and vulnerabilities Greater availability of competent certification services for customers Assessments by accredited organizations can form the basis for cyber insurance policy decisions

What is the NSTISSI 4009 definition of an Automated Information System (AIS)?

“Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.”

What is Information Assurance?

Measures that protect and defend information and information systems by ensuring their availability, integrity, confidentiality, authentication and non–repudiation. This includes providing for restoration of information systems by incorporating the following capabilities: protection, detection, and reaction.

Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.

What is confidentiality?

Assurance that information is not disclosed to unauthorized individuals, processes, or devices.

What is Access Control?

Limiting access to information system resources only to authorized users, programs, processes, or other systems.

What is Authentication?

Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

What is Non–Repudiation?

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.

What are the accreditation options?

1 – System: accreditation evaluates a major system application or a clearly defined independent system. 2 – Type: accreditation evaluates a common application or system that is distributed to a number of different locations. 3 – Site: accreditation evaluates applications and systems at a specific, self–contained location.

What are C&A artifacts?

System policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls.

“security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information.…provide appropriate confidentiality, integrity, and availability, through the use of cost effective management, personnel, operational, and technical controls.”

What executive order mandates C&A?

Executive Order 13231, 16 October 2001 Critical Infrastructure Protection in the Information Age

“The PM represents the interests of the AIS, and is responsible for the AIS throughout its lifecycle; ensures the security requirements are integrated in order to achieve an acceptable level of risk as documented in the SSAA, and keeps all participants informed of AIS lifecycle actions, security requirements and user needs.”

What is the NSTISSI 4009 definition of Designated Approving Authority?

“The primary government official responsible for implementing system security. An executive with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk, and to balance the needs of the system with the security risks.”

What is the NSTISSI 4009 definition of User Representative?

“Official with the authority to formally assume responsibility for operating an AIS or network at an acceptable level of risk.”

What is the NSTISSI 4009 definition of Information Systems Security Officer?

“Person responsible to the designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages.”

What is the DoDI 5200.40 definition of System Security Authorization Agreement?

“A description of the system mission, target environment, target architecture, security requirements, and applicable data access policies. It also describes the applicable set of planning and certification actions, resources, and documentation required to support the certification and accreditation. It is the vehicle that guides the implementation of INFOSEC requirements and the resulting certification and accreditation actions.”

What does the SSAA document?

~ The operating environment and the threat ~ The AIS security architecture and the C&A boundary of the AIS to be accredited ~ The agreement among the parties involved ~ All requirements necessary for accreditation ~ Condenses and consolidates the documentation requirements (CONOPS, tests, etc) ~ The overall C&A plan (NIACAP/DITSCAP) ~ The test plans, results, and residual risk ~ The baseline security configuration document

What are the characteristics of an SSAA?

~ Describes the operating environment and threat ~ Describes the system security architecture ~ Establishes the C&A boundary of the system ~ Documents the formal agreement among the DAA, certifier, program manager, and user representative ~ Documents all requirements necessary for accreditation ~ Documents test plans and procedures, certification results, and residual risk ~ Forms the baseline security configuration document

What actions are required in Task 1 of DITSCAP Definition: Determine Mission Needs?

Registration begins with preparing the business, mission, or operational functional description as well as system description and system identification. The information collected during the preparation activity is evaluated and applicable information assurance requirements are determined.

What actions are required in Task 2 of DITSCAP Definition: Determine Mission Needs?

Inform the DAA, Certifier, and user representative that the system will require C&A support (register the system).

What actions are required in Task 3 of DITSCAP Definition: Determine Mission Needs?

Prepare the environment and threat description. Threats should be assessed against the specific business functions and system description to determine the required protection. The threat, and subsequent vulnerability assessments, must be used in establishing and selecting the IA policy objectives that will counter the threat.

What actions are required in Task 4 of DITSCAP Definition: Determine Mission Needs?

Prepare system architecture description, describe the C&A boundaries, and document relationships with external systems or equipment.

What actions are required in Task 5 of DITSCAP Definition: Determine Mission Needs?

Determine the system security requirements. The risk management and vulnerability assessment actions commence. A risk management process may also be installed in an effective, understandable, and repeatable manner.

What actions are required in Task 6 of DITSCAP Definition: Determine Mission Needs?

Tailor the C&A tasks, determine the level of effort, and prepare a C&A plan. The C&A team determines the level of effort by evaluating the security requirements and the degree of assurance needed in areas such as confidentiality, integrity, availability, and accountability. The planned level of effort is targeted at addressing the security requirements and fulfilling the mission of the program.

What actions are required in Task 7 of DITSCAP Definition: Determine Mission Needs?

Identify organizations involved in C&A and the resources required.

What actions are required in Task 8 of DITSCAP Definition: Determine Mission Needs?

Develop the draft SSAA during the registration activities to consider the program’s system development approach and life cycle stage, existing documentation and environment, architecture and business functions, and documentation on users and data classification and categorization.

In the Definition phase of DITSCAP (Registration), what information is needed?

~ Phase 1 End Product (refined in later phases) ~ Document the formal agreement among the DAA, the CA, the user representative, and the program manager ~ Document all requirements necessary for accreditation ~ Document all security criteria for use throughout the IT system life–cycle ~ Minimize documentation requirements by consolidating applicable information into the SSAA ~ Document the DITSCAP plan

How each assigned IA control is implemented Implementation follows guidelines described in the DIACAP KS

What information is included in the DIACAP DIP?

IA Control # IA Control Subject Area IA Control Name IA Control Text (Requirement) Threat/Vulnerability/ Countermeasure General Implementation Guidance System–specific Guidance Resource

What is a DIACAP Scorecard?

~ Summary report that succinctly conveys information on the IA posture of the system in a format that can be exchanged electronically. ~ Documents the accreditation decision and must be signed, either manually or with a DoD PKI–certified digital signature. ~ The Scorecard contains a listing of all IA controls and their status of either C, NC, or NA. ~ Additional data elements may be specified by CIOs, DAAs, or other enterprise users of the Scorecard

What is a DICAP POA&M?

~ Is a management tool. ~ Primary purpose assist agencies in identifying, assessing, prioritizing, and monitoring security weaknesses found in programs and systems, along with the progress of corrective efforts for those vulnerabilities. ~ OMB requires agencies to prepare IT Security POA&Ms for all programs and systems in which an IT security weakness has been found. ~ Agency CIOs must report their progress on at least a quarterly basis to OMB.

Technical Advisory Group (TAG) ~ A formally chartered body established by ASD–NII and DoD CIO to examine and address common C&A issues, including changes to the baseline IA controls, across the DoD Component IA programs, IA Communities of Interest (COIs), and other GIG entities. ~ The DIACAP TAG also maintains configuration control and management of the DIACAP and all its supporting content on the DIACAP KS.

What is the role of the DIACAP IA Senior Leadership?

IA Senior Leadership (IASL) ~ Provides the integrated planning, coordination, and oversight of the Department's IA programs to assure the availability, integrity, authentication, confidentiality, and non–repudiation of the Department's mission essential and mission support information and the reliability DII.

What does the DIACAP apply to?

DIACAP applies to DoD–owned information systems and DoD–controlled information systems operated by a contractor or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification or sensitivity

The senior official representing the interests of a GIG MA regarding C&A ~ Represent the interests of the MA and, as required, issue accreditation guidance specific to the MA, consistent with this Instruction. ~ Appoint flag–level (e.g., general officer, senior executive) PAA Representatives to the DISN/GIG Flag Panel. ~ Resolve accreditation issues within their respective MAs and work with other PAAs to resolve issues among MAs, as needed. ~ Designate DAAs for MA ISs, if required, in coordination with appropriate DoD Components.

What is the PAA Representative?

Appointed by PAA ~ Serve as a member of the DISN/GIG Flag Panel. ~ Provide MA–related guidance to DAAs, Milestone Decision Authorities (MDA), the DSAWG, and the DIACAP TAG. ~ Advise the corresponding MA PAAs and assist the DoD CIO and SIAO in assessing the effectiveness of GIG IA capabilities.

What do the Heads of DoD Components do to support DIACAP?

~ Ensures DoD ISs under their purview comply with the DIACAP. ~ Operates only accredited ISs. ~ Complies with all accreditation decisions, including denial of authorization to operate (DATO), and enforce authorization termination dates (ATD). ~ Ensures that an annual assessment of the DoD Component IA program is conducted. ~ Appoints DAAs for DoD ISs under their purview.

What is the role of the DAA in DIACAP?

The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. ~ ATO ~ IATO ~ DATO ~ IATT Responsible for the Mission and Resources Must be a Government Employee

What is the role of the CIO in DIACAP?

Appoints the DoD Component SIAO. Ensures ~ Implementation and validation of IA controls through the DIACAP are incorporated in the IS’s life–cycle management processes. ~ C&A status of the ISs are visible to the ASD(NII)/DoD CIO and PAAs. ~ Collaboration and cooperation between the DoD Component IA program and the PAA and DAA structure. ~ PM or SM is identified for each IS. Establishes and manages an IT Security POA&M program.

Ensures that: ~ Each assigned DoD ISs has a designated IA manager (IAM) with the support, authority, and resources to satisfy their responsibilities. ~ Information system security engineering is employed to implement or modify the IA component of the system architecture in compliance with the IA component of the GIG Architecture and to make maximum use of enterprise IA capabilities and services. ~ IT Security POA&M development, tracking, and resolution. ~ Annual reviews of assigned ISs required by FISMA are conducted.

What is the role of the user representative in DIACAP?

~ Represents the operational interests of the user community in the DIACAP. ~ Supports the IA controls assignment and validation process to ensure user community needs are met.

Who are the members of the certifying team in DIACAP?

Certifying Authority (CA) ~ The senior official having the authority and responsibility for the certification of information systems governed by a DoD Component IA program. ~ Make the certification recommendation to the DAA ~ Can be the SIAO. CA Representative/Analyst ~ Delegated the responsibility of reviewing and assessing the DIACAP package for compliance and risk. Validator ~ Individual responsible for conducting a validation procedure.

What is the role of the ISSE in DIACAP?

Information Systems Security Engineer ~ An individual that performs the Information Systems Security Engineering functions. ~ Works with system architects, engineers, and developers to ensure that IA controls are designed and implemented into a system throughout the development process.

What is the role of the IAM in DIACAP?

~ Support the PM or SM in implementing DIACAP. ~ Advise and inform the DoD Component IA program on ISs C&A status and issues. ~ Comply with the DoD Component IA program’s information and process requirements. ~ Provide direction to the IA Officer (IAO). ~ Coordinate with the organization’s SM to ensure issues affecting the organization’s overall security are addressed appropriately. ~ Similar to the IA title Information Systems Security Manager (ISSM) used else where.

What is the role of the IAO in DIACAP?

~ An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. ~ While the title IAO is favored within the DoD, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer).

Applicable to DoD information systems, the mission assurance category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined MAC Levels: ~ MAC I ~ MAC II ~ MAC III

Classified: ~ Kept secret in the interest of national defense or foreign policy. ~ Includes Confidential, Secret, and Top Secret. Sensitive: ~ could adversely affect the national interest or the conduct of Federal programs, or the privacy of individuals. Public: ~ has been reviewed and approved for public release by the information owner.

An objective IA condition of integrity, availability or confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format, i.e., a control number, a control name, control text, and a control class. Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with reference OMB A–130.

What are the objective conditions for DIACAP IA Controls?

~ objective condition is testable ~ compliance is measurable, and ~ activities required to achieve the IA Control are assignable and thus accountable.

How are DIACAP IA controls assigned?

Assignment of the controls are made according with: ~ MAC ~ CL

How are DIACAP IA controls laid out?

Are laid out in: ~ IA Control Subject Areas ~ IA Control Names

List the DIACAP IA control areas, their acronym and number of controls?

Management, operational, and technical controls employed in lieu of recommended controls that provides equivalent or comparable protection for an information system.

What is a DIACAP CAT Severity Code?

Indicates: ~ Risk level associated with non–compliance, and ~ Urgency with which corrective action must be completed. CA assigns the CAT codes to a system security weakness during certification analysis. How serious are these codes: ~ A CAT I rating for a MAC I or MAC II must, at a minimum, be classified CONFIDENTIAL. ~ CAT II weaknesses must be reviewed for their classification level.

What are Category I Severity Code Weakness?

Allows: ~ Primary security protections to be bypassed. ~ Immediate access by unauthorized personnel or unauthorized assumption of super–user privileges. Only Component CIO can ~ authorize operation of a system with a Cat I weakness and then only through an IATO. System must be ~ critical to military operations and failure to deploy will preclude mission accomplishment. ~ Copy of authorization must be sent to DoD SIAO.

What are Category II Severity Code Weakness?

A weakness that can lead to unauthorized system access or activity. Usually are corrected or mitigated to a point where any residual risk is acceptable. Can be granted an ATO ~ Only when clear evidence exists that that deficiency can be mitigated within 180 days of the accreditation decision. ~ Only one 180 day extension allowed. DAA ~ Will normally issue a DATO if not corrected or mitigated in 360 consecutive days.

What are Category III Severity Code Weakness?

CAT III ~ One that if corrected will improve the system’s IA posture. DAA ~ Will determine if these types of weaknesses will be corrected or if the risk will be accepted. CAT IIIs accepted by DAA will be documented in the POA&M: ~ Marked N/A in the scheduled completion date column. ~ Note acceptance by DAA in the milestone column ~ Note risk accepted in the status column

What are the types of DIACAP packages?

Comprehensive Package ~ Used for the CA recommendation ~ Includes all the information resulting from the DIACAP process Executive Package ~ Less than the Comprehensive package ~ Used for an accreditation decision ~ Provided to others in support of accreditation or other decisions, such as connection approval Actual Artifact Formats: ~ Each DAA will determine what information is necessary to make an accreditation decision and what format they want it presented in.

What documents constitute a DIACAP Comprehensive Package?

SIP, DIP, Supporting Certification Documentation, Scorecard, POA&M

What documents constitute a DIACAP Executive Package?

SIP, Scorecard, POA&M

What is the DICAP Knowledge Service?

~ A Web–based, DoD PK–enabled DIACAP knowledge resource that provides current GIG IA C&A. ~ A library of tools, diagrams, process maps, documents, etc., to support and aid in execution of the DIACAP. ~ A collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. ~ A source for IA news and events and other IA related information resources.

Project Management is a structured, pro–active management approach for finite undertakings that produce a unique product, service, or other result.

What are the characteristics of technical project management?

It is characterized by the application of knowledge, skills, tools, and techniques in detailed planning and execution of the endeavor.

How is technical project management accomplished?

It is accomplished through integrated and logically flowing processes to perform initiating, planning, executing, monitoring, controlling, and close–out activities while balancing competing demands for quality, scope, schedule, and cost.

What is a project framework?

The Project Framework illustrates and combines all elements necessary to begin, manage, and conclude a project. It starts as a skeleton with basic contents and evolves and expands as the project proceeds.

What is a scope statement?

A formal definition agreed to by all stakeholders in the project, describing what is to be done, why it is being undertaken, who will be engaged to do the work and when the whole venture should be completed.

What is milestone identification?

Refers to the process of identifying those discrete steps in a project which represent major steps of achievement, and are generally tied to progress payments.

What is a work breakdown structure?

This step consists of both the decomposition of all the work associated with milestone achievement into individual work tasks, as well as the identification of all dependencies.

What is a baseline project plan?

This is the final set of project documents which collectively represents the foundation “agreement” from which work will proceed to its desired end–product or solution. Changes to the baseline should be managed carefully and precisely to avoid unwanted or unforeseen impacts.

What are change management procedures?

Formal change management is vital in order to avoid unplanned or unmanaged impacts occurring that adversely effect the project schedule or resource profiles. All changes considered must be reviewed and formally agreed to by all parties after discussing issues and risks, and before proceeding with the proposed modifications. Prevents “scope creep”.

Define activity

A discrete element of work performed during the course of a project. Has measured duration, cost, and resource requirements. Often subdivided into tasks.

Define baseline

Officially approved version of the plan (cost, schedule, or technical) for a project, a work package, or an activity, plus or minus approved scope changes. Normally altered or updated through changes in scope, funding, schedule, requirements, etc. through the Change Management process.

Define critical path

Series of activities that determines the duration of the project. In a deterministic model, the critical path is usually defined as those activities with float equal to zero. It is the longest path through the project. See critical path method.

Define critical path method (CPM)

A network analysis technique used to assess the degree of flexibility (float) through multiple scheduling paths in project duration in order to determine overall project duration, and task start/end dates (early–late).

Define decision tree analysis

The decision tree is a diagram that describes a decision under consideration and the implications of choosing one or another of the available alternatives, incorporating risk, value, scheduling and potential outcomes variables

Define deliverable

A measurable, tangible, verifiable outcome, result, or item that must be produced to complete a project or part of a project.

Define deming cycle

Another name for the “Plan–Do–Check–Act” model popularized by W. Edwards Deming as a continual quality management tool.

Define dependency

An action, input, or outcome (cost, schedule, or other factor) that creates a cause–and–effect relationship between two or more aspects of a project. Can result in a slippage, acceleration, overrun, or similar result in the effected element.

Define estimate

An assessment of the likely quantitative result; as in cost, schedule, outcome, plus or minus some percent or ROM.

Define life–cycle costing

The concept of including acquisition, operating, and disposal costs when evaluating various alternatives.

Define network analysis

The process of identifying early and late start and finish dates for the uncompleted portions of project activities. See also critical path method, program evaluation and review technique, and graphical evaluation and review technique.

Define pareto diagram

A histogram, ordered by frequency of occurrence, that shows how many results were generated by each identified cause.

Define PERT chart

The term is commonly used to refer to a project network diagram.

Define PERT

Program Evaluation and Review Technique (PERT): An event–oriented network analysis technique used to estimate program duration when there is uncertainty in the individual activity duration estimates. PERT applies the CPM using durations that are computed by a weighted average of optimistic, pessimistic, and most likely duration estimates. PERT computes the standard deviation of the completion date from those of the path’s activity durations. Also known as the Method of Moments Analysis.

Define project

A temporary endeavor undertaken to create a unique product, service, or result.

Define project life–cycle

A collection of generally sequential project phases whose name and number are determined by the control needs of the organization or organizations involved in the project.

Define project network diagram

Any schematic display of the logical relationships of project activities. Always drawn from left to right to reflect project chronology. Often referred to as a PERT chart.

Define project plan

A formal, approved document used to guide both project execution and project control. The primary uses of the project plan are to document planning assumptions and decisions, facilitate communication among stakeholders, and document approved scope, cost, and schedule baselines. A project plan may be produced or presented in a summary or detail form.

The planned dates for performing activities and the planned dates for meeting milestones.

Define project scope

The work that must be done to deliver a product with the specified features and functions. Also, The sum of the products and services to be provided as a project. See project scope and product scope.

Define schedule control

Controlling changes to the project schedule.

Define scope change control

Controlling changes to project scope (“creep”) so that the rate of change does not exceed the rate of progress.

Define stakeholder

Individuals and organizations that are actively involved in the project, or whose interests may be positively or negatively affected as a result of project execution or project completion. They may also exert influence over the project and its results.

Define statement of work (SOW)

A narrative description of products or services to be supplied under contract.

Define task

A generic term for work that is not included in the work breakdown structure, but potentially could be a further decomposition of work by the individuals responsible for that work. Also, lowest level of effort on a project.

Define work breakdown structure (WBS)

A deliverable–oriented grouping of project elements that organizes and defines the total work scope of the project. Each descending level represents an increasingly detailed definition of the project work.

Define work package

A deliverable at the lowest level of the work breakdown structure, when that deliverable may be assigned to another project manager to plan and execute. This may be accomplished through the use of a subproject where the work package may be further decomposed into activities.

System owner – verifier of product design and purpose. Has overall accountability for system (final result). Has the CHECKPOINT FUNCTION to APPROVE changes in scope, products, results, functionality, etc.

1. Estimation of project scope: must be as concise and as accurate as possible (will evolve). Must include assessment of complexity regarding human, technology, and other factors. 2. Identification of resources and constraints: this will include skills, technology, physical assets, and requires addressing the question of “in–house” or “out–source”. 3. Identifying roles and responsibilities: clearly establishing who will do what, skill levels, rotation, etc.

List the specific planning phase tasks (steps 4–6)?

4. Estimation of project cost: As much art as science. Should use cost models where feasible and historical cost where possible. WBS are used to collect and estimate cost factors. 5. Developing schedules: Setting start–finish dates for optimistic, pessimistic, and probable completion. 6. Identify Technical Activities: Define the work at the task level, sequencing and linking, establishing methods and materials required.

List the specific planning phase tasks (steps 7–9)?

7. Identify deliverables: Must have clear definitions of WHAT is due, required content, format, and success criteria. 8. Define Management Interfaces: Communications planning and channels must be established as early as possible for flow of PM information on all subjects. 9. Preparation of Technical Mgmt. Plan (TEMP): Included in the overall PMP and SEMP, and integrates technical execution with overall systems engineering and PM.

List the specific planning phase tasks (steps 10–11)?

10. Review of overall Project Mgmt. Plan (PMP): This overarching plan integrates consistently and coherently all aspects of project execution, schedule, and resource. All actions and changes roll up into this from subsidiary plans. It evolves and changes as the project moves forward. 11. Obtain customer agreement: All aspects must be in accordance with customer requires and expectations, and includes: ~ Environmental analysis ~ Feasibility analysis ~ Scope, requirements, and deliverables verification ~ Customer approval

What process groups are part of the management phase of technical management?

Effective and timely monitoring is crucial to facilitating problem resolution, corrective action planning and execution, and provides the analytical basis for understanding and correcting variances to baseline.

This is the part where the Project Manager assumes ownership and accountability for project success. He uses “referent” authority to influence all the key participants and steer the whole venture towards a successful conclusion.

What is milestone achievement?

To the extent that milestones are generally achieved in a serial rather than a parallel fashion, one milestone must normally be fully completed before the next can commence. Consequently, the project manager is obliged to focus heavily on whatever is the current milestone. Remember – payments are frequently tied to milestone achievement.

What is continuous risk assessments?

In line with a highly preventive management approach, continual risk assessments need to be carried out to identify risk categories, risk events, likelihood of occurrence, priorities for attention and mitigation strategies.

What is project closeout?

This step is extremely important because close–out and final payment can often be difficult, if not planned properly. Some tips below on how to close–out effectively. ~ Understand the acceptance criteria for close–out. ~ Initiate early talks to gain clear visibility of any concerns. ~ Work to ensure that problem areas are cleared up in time. ~ Seek opportunities for the client to gain leverage after completion. ~ Avoid paying sub–contractors until customer accepted work. ~ Do lessons learned exercise to capture improvement ideas. ~ Be sure to thank all the outstanding contributors.

The SOW provides the details regarding what is to be performed or delivered as a result/product: ~ Summary statement of the tasks to be accomplished ~ Identification of the input requirements from other tasks ~ References to applicable specifications, standards, procedures, and related documentation ~ Description of specific results to be achieved and a proposed schedule of delivery Often is used to measure contractual obligations and compliance.

What is a Program Management Plan (PMP)?

The PMP covers all the planning a high level and leads to low–level planning for specific activities

The SEMP is the integrated “living” master plan that provides the central repository that binds together all subordinate plans, tasks, and other work elements. It contains: ~ Who is doing a thing or things ~ What things are done, in progress, to start… ~ When these things will start, or finish ~ Where the people, resources, documentation etc. are ~ How things are being organized and accomplished (The RFP/SOW contain and outline the “why” )

WBS describes how all the essential tasks of the project will be defined (including dependencies), assigned, and scheduled to members of the team.

In general, who many hierarchical activity levels are assigned to a WBS and what are they?

3 levels ~ Level 1 – Identifies the entire program scope of work to be produced ~ Level 2 – Identifies the various activities and categories of the entire program ~ Level 3 – Identifies the specific tasks of each category

What is a statement of milestones?

Statement of Milestones derives from the SOW, and describes in detail: ~ What is to be delivered by which activities and to whom ~ What the agreed deliverable content will be ~ The schedule on which the milestone will be achieved All of which is subject to alteration and variance by change or environmental factors

The QMP is the authoritative plan (integrates upward into the SEMP) that provides the central control for how “quality” is to be achieved throughout the project and in the final delivered product(s) and deliverables.

What is the definition of quality?

“Quality” is defined as “the degree to which a set of inherent characteristics [of performance, of appearance, or other] satisfy a set of requirements”.

What is quality management?

“Quality Management” is the process by which stakeholder needs, wants, and expectations are transformed into requirements that can then be executed and met by the project. “Quality Control” processes monitor and track this.

What are the components of a QMP?

The QMP will contain the framework necessary to implement, monitor, correct, and report on this aspect of overall project management and deliverables: ~ Standards to be employed (i.e. ISO 9000 or 10006) ~ Data elements and metrics to be collected ~ Analytical processes to be used (stat, financial, etc) ~ Benchmarks, comparators, KPI, CSF and other analytics ~ Corrective Action Plans and progress reports ~ An interface to the Change Management process to assure awareness and capture of impacts to the SEMP

What is a configuration management plan (CMP)?

The CMP is the authoritative plan (that integrates upward into the SEMP) that provides the central control for how changes (in their infinite variety) will be identified, evaluated, escalated, implemented, tracked and controlled continuously throughout the SEMP execution.

Why must change be managed?

Change as a factor having impact on all aspects of the project must be recognized as inevitable, but must be managed to avoid unacceptable deviations and adverse impact to schedule, cost, quality, or other factors that ultimately compromise achievement of project objectives.

What are the components of a CMP?

CMP as used by DoD describes a process with five components regarding configuration items (CI) and managing the potential impact of change to operations: ~ Management and Planning: approved and documented in PMP ~ CI Identification: selection criteria and documentation ~ Configuration Control: the CM process to ensure no unmanaged change occurs ~ Status Accounting: the system for tracking change to baseline ~ Verification and Audit: provides interface and feedback to QA/QM

What is a risk management plan (RMP)?

RMP describes the plan (that integrates upward into the SEMP) for identifying risks, threats–agents, physical, environmental, and other sources of risk are anticipated or identified throughout the project lifecycle, including: ~ Assessment and review processes and responsible roles ~ Reporting and documentation, including CM input ~ Controls and countermeasures use to mitigate, reduce, and avoid The RMP uses NIST SP 800–30 and OMB A130 as base requirements and guidance.

What is a Test and Evaluation Master Plan (TEMP)?

Test and Evaluation Master Plan (TEMP) – Overall description of test objectives: ~ Requirements for testing ~ Data to be collected and measured ~ Categories of tests ~ Methods and procedures to be used ~ Resources required for tests

Operational testing (OT&E): ~ Type 2: done in latter stages of detailed design (SUT) ~ Type 3: performed at initial qualification and prior to completion of production (IVT&E) ~ Type 4: performed during operations and lifecycle support phases

What is a PERT schedule?

The Program Evaluation and Review Technique (PERT) is a scheduling tool that defines the critical path (in red) through a project (zero float or slack)

Draw a PERT node and example PERT schedule with critical path

Check slide 501

What is a Requirements Traceability Matrix (RTM)?

Facilitates derivation of requirements from sources (laws, FIPS, project needs, etc), showing source, object, rationale, verification, validation, and execution, traceable from the result back to the source

~ Project Risk [criticality]: systematic and non–systematic risk factors that specifically threaten the timely, correct, and cost–effective completion of the project ~ IT Risk [sensitivity]: normal factors of risk that threaten to disrupt the CIA attributes of the IT involved (either as product or as support to the project.

Why is unmanaged change a risk?

The rate of unmanaged change will eventually exceed the rate of progress and endanger the project.

What are the sources of change?

Change has various sources: some is necessary, some otherwise. Change is a serious risk factor of positive and negative dimensions, and if not controlled can result in: ~ Increased cost ~ Scope creep ~ Schedule slippage ~ Excessive resource consumption ~ Unacceptable deliverables (content or quality) ~ Overall failure to complete on time, on budget, or at all

This model from C–M corresponds to an implementation approach for achievement of the CMM levels: I – Initiating: Lays foundation quality and process improvements (CCM–1) D – Diagnosing: Methods determine “AS IS” relative to the “TO BE” (CMM–2) E – Establishing: Planning how to attain the chosen level of maturity (CMM–3) A – Acting: Executing the plan and achieving the desired results (CMM–4) L – Learning: Continually improving what you do and how you do it (CMM–5)

What do the early phase levels of CMM provide?

Early phase levels and processes lay foundations for committed organizations to begin building in managerial, technological, and operational structures and controls to enable growth, advancement, and achievement of the higher levels

What are the early phase levels of CMM?

Levels 1 & 2

What do the later phase levels of CMM provide?

Institutionalize processes, methods, techniques and tools to continue building managerial, technological, and operational structures and controls to maintain advancements and continually learn and improve